[Bro] DNS alert for CryptoLocker?
Liam Randall
liam at broala.com
Wed Nov 6 08:56:13 PST 2013
I have a whole crap load of DNS & Recon scripts I did for bsides DC I just
haven't had time to post yet.
Too many NXDomains:
https://gist.github.com/LiamRandall/7339749
Tune as you see fit. Important note- if you are only instrumented at the
ingress/egress point you will most likely only be seeing your recursive
resolver.
Liam
On Wed, Nov 6, 2013 at 11:02 AM, anthony kasza <anthony.kasza at gmail.com>wrote:
> I wrote this: https://github.com/anthonykasza/nxes
>
> It's not exactly what you're looking to do, as it doesn't make use of the
> SumStats framework. Hopefully you still find it helpful.
>
> -AK
> On Nov 6, 2013 7:41 AM, "Tyler T. Schoenke" <tyler.schoenke at colorado.edu>
> wrote:
>
>> So I don’t have to reinvent the wheel, does anyone have a script to alert
>> when a bunch of DNS nxdomain response codes are returned? We had a
>> CryptoLocker infected system. Here is a snippet of the DNS queries it was
>> performing. I assume the script will be fairly trivial to write with the
>> new metrics framework.
>>
>>
>>
>> 1382548938.833528 GMCxsRbK0Ai 128.x.y.z 58872 128.a.b.c
>> 53 udp 11849 ndqycnknvoouv.net 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548944.705308 gNc8acns5pe 128.x.y.z 57136 128.a.b.c
>> 53 udp 29248 hcanlyoattqnk.info 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548947.922531 2wQ3L1SjO2i 128.x.y.z 55438 128.a.b.c
>> 53 udp 37701 pggqvjlpjuvfj.biz 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548950.164884 K6SBCLsCeHd 128.x.y.z 62257 128.a.b.c
>> 53 udp 27109 rkvrpstomducl.org 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382548952.804004 A3cpzxeprDd 128.x.y.z 62188 128.a.b.c
>> 53 udp 19436 xdlmipcfinsnx.info 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548953.848624 oFpUoyQaeT6 128.x.y.z 58160 128.a.b.c
>> 53 udp 64315 yskkfkmsvjyjh.com 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548956.153981 42MqOejLeC7 128.x.y.z 61254 128.a.b.c
>> 53 udp 25859 bwalyturyrxgh.biz 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548960.964978 iwlngihsWR2 128.x.y.z 59060 128.a.b.c
>> 53 udp 49446 wfffkyemceall.info 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548965.228544 BSHfNWkQmN2 128.x.y.z 50542 128.a.b.c
>> 53 udp 64599 gxfbvapxgjhhwir.ru 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382548966.392850 AL4jDt0K4Bl 128.x.y.z 65068 128.a.b.c
>> 53 udp 60778 pbxksllrmivxhjc.org 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382548998.923970 hvrkgMU1nj9 128.x.y.z 64366 128.a.b.c
>> 53 udp 58017 - - - - - 0
>> NOERROR F F F T 0
>> 212.71.250.4,212.71.250.4 0.000000,0.000000 F
>>
>> 1382549001.210921 F0wHtNhVKQj 128.x.y.z 53692 128.a.b.c
>> 53 udp 18268 eijwmsocubkbifr.com 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549004.587866 dupMP8ecnh9 128.x.y.z 65102 128.a.b.c
>> 53 udp 55272 - - - - - 3
>> NXDOMAIN F F F F 0 - - F
>>
>> 1382549005.590564 8hHrrWK3ySg 128.x.y.z 53233 128.a.b.c
>> 53 udp 49644 csnrwkgpneybfdw.org 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382549008.355729 2zHHnrpDv94 128.x.y.z 49268 128.a.b.c
>> 53 udp 48578 yxhlnnrvnxwhvjb.info 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382549009.401946 XGYKkM7TJHb 128.x.y.z 58084 128.a.b.c
>> 53 udp 21374 ypqijlryiuibvra.com 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382549011.483780 jPbHypWQKyh 128.x.y.z 56556 128.a.b.c
>> 53 udp 38615 gfidmpcvtbjipor.biz 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549014.515443 ndy7OcvfED 128.x.y.z 49785 128.a.b.c
>> 53 udp 11355 - - - - - 3
>> NXDOMAIN F F F F 0 - - F
>>
>> 1382549015.564495 qkrQfYjmd8g 128.x.y.z 64433 128.a.b.c
>> 53 udp 45 - - - - - 0
>> NOERROR F F F T 0
>> 212.71.250.4,212.71.250.4 0.000000,0.000000 F
>>
>> 1382549017.104583 bQbmeVq6PSl 128.x.y.z 60956 128.a.b.c
>> 53 udp 21595 epmydibaismctwn.info 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382549020.276359 ZyCXQrFDUie 128.x.y.z 58936 128.a.b.c
>> 53 udp 45237 taxkcsutphxwues.biz 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549021.295831 DDxa09moudg 128.x.y.z 51396 128.a.b.c
>> 53 udp 14981 ooqydautbpucsxk.ru 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549024.077917 utOUlYH43La 128.x.y.z 61588 128.a.b.c
>> 53 udp 33615 - - - - - 0
>> NOERROR F F F T 0 212.71.250.4
>> 0.000000 F
>>
>> 1382549026.376626 7NYXLG3zOJ4 128.x.y.z 52200 128.a.b.c
>> 53 udp 30833 myuutstxphxvlmn.com 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549028.599961 MBxVPKOcOl3 128.x.y.z 58592 128.a.b.c
>> 53 udp 49290 ohfvyihiguvwuxp.biz 1 C_INTERNET
>> 1 A - - F F T F 0
>> - - F
>>
>> 1382549031.847178 vD02D08eII4 128.x.y.z 61924 128.a.b.c
>> 53 udp 23377 shocdnhyfmdfsoj.co.uk 1 C_INTERNET
>> 1 A - - F F T F 0 -
>> - F
>>
>> 1382549034.478314 n3WCj7AlLU2 128.x.y.z 60108 128.a.b.c
>> 53 udp 33753 tmyedwcqvvykcjj.com 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549036.575201 caR4StggyDa 128.x.y.z 52132 128.a.b.c
>> 53 udp 4039 oxsaegepxdvieuh.biz 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549037.595521 OgiZzasfva3 128.x.y.z 52622 128.a.b.c
>> 53 udp 49144 cbcrkxjuurixfpe.ru 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549038.784184 fbHvNBwyQr6 128.x.y.z 65484 128.a.b.c
>> 53 udp 51376 pddcepyhomrngqq.org 1 C_INTERNET
>> 1 A 3 NXDOMAIN F F T F
>> 0 - - F
>>
>> 1382549039.995781 MdZxaa06IYh 128.x.y.z 56073 128.a.b.c
>> 53 udp 1505 novnagkvsgbfbvv.co.uk 1 C_INTERNET
>> 1 A 0 NOERROR F F T T 0
>> 212.71.250.4,212.71.250.4 0.000000,0.00000
>>
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Tyler
>>
>>
>>
>>
>>
>> --
>>
>> --
>>
>> Tyler Schoenke
>>
>> Network Security Program Manager
>>
>> IT Security Office
>>
>> University of Colorado at Boulder
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Liam Randall
Managing Partner
510-281-0760
www.Broala.com <http://www.broala.com/>
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/8323fccc/attachment.html
More information about the Bro
mailing list